expansion-signal-spotter
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface due to its reliance on fetching untrusted external data.
- Ingestion points: In Phase 1 (Signal Detection), the skill uses
web_searchandfetch_webpageto retrieve content from external websites, job boards, and news sources (SKILL.md). - Boundary markers: The instructions do not define delimiters or provide 'ignore embedded instructions' warnings when processing retrieved web content.
- Capability inventory: The skill has access to sensitive local files (customer CSVs/sheets) and the ability to perform further network operations and file writes (SKILL.md).
- Sanitization: There is no evidence of filtering or validation of the fetched external content before it is used to generate expansion scores or talk tracks.
- [DATA_EXFILTRATION]: The skill manages a high-sensitivity data surface by requesting access to internal customer lists containing MRR/ARR, product usage patterns, and primary contact LinkedIn URLs. While this data is necessary for the skill's primary purpose, the combination of sensitive data access and external web fetching creates a risk surface where an indirect prompt injection could potentially lead to the exfiltration of business-critical information.
- [COMMAND_EXECUTION]: The skill documentation suggests establishing persistence and autonomous execution by adding a cron job to the user's system to run
run_skill.py(SKILL.md). This would allow the agent to operate without direct human supervision on a weekly basis, which amplifies the risk associated with other findings.
Audit Metadata